TRENDnet TEW-831DR Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the TRENDnet TEW-831DR router, specifically in version 1.0 (601.130.1.1410). The issue arises in the file '/boafrm/formSysCmd', where the 'sysHost' parameter can be manipulated to inject arbitrary commands. This vulnerability requires authentication to exploit but can be executed remotely. The injected commands are executed with the same privileges as the authenticated user, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the router's operating system, with the risk of gaining unauthorized access to sensitive data, disrupting normal device operations, and potentially compromising internal networks.

Reproduction

To reproduce this vulnerability, authenticate with the device to obtain a CSRF token. Then, send a POST request to '/boafrm/formSysCmd' with the 'sysHost' parameter set to an IP address or hostname, followed by injected commands using command injection techniques, such as appending '&&' to execute additional commands. Include the CSRF token and authorization in the request headers.

Remediation

It is recommended to validate the 'sysHost' input to allow only safe hostnames or IP addresses, and to use chroot or sandboxing to contain command execution if necessary.